Brain on Fire » Blog Tim McCormack says words

Update: The recent "patch" that the rootkit's developer released does not actually fix the problem -- do not install it! It adds more software of the same type, probably better hidden and more dangerous. Do not trust any software or hardware from First4Internet or Sony BMG Music ever again. Now, here's my original post.

After this Halloween's revelation that Sony is installing rootkits without authorization through copy-protected CDs, I'm even happier that I switched to Linux. If you haven't heard of this recent development, you should read up on it. I'll give a glossary and a response.

DRM (digital rights management)

Also known as the "spawn of Satan" ("SOS", for short), digital rights management is any technology that seeks to control the usage of digital materials, usually by preventing the end user from freely copying or even freely playing the content. Often, this can result in a user being unable to have full use of their legally purchased hardware (e.g. iPod) and data (e.g. music). The company that maintains a DRM system usually reserves the right to change a user's privileges at any time without notification. One example of abuse of DRM occurs with DVDs. Some producers are including commercials in the section of the DVD that your DVD player is forced to play -- the FBI warning track. You can't skip or pause it. Fun. Sony's DRM software prevents you from playing the CD if certain conditions are not met, and probably runs a check to see if your copy of the music is really yours.

rootkit

A rootkit is a piece of software that is installed (usually) without consent and which enables another party to conceal files and programs from the authorized user of the system. In this case, Sony's rootkit hides the DRM software from the user in an attempt to prevent illegal copying.

auto-installer

When you pop in a CD, Microsoft Windows will automatically run whatever files the CD wants it to run, without asking your permission. These auto-run programs run with administrative privileges, meaning they can do whatever they want to your system. You have to explicitly turn off this feature somewhere in the Control Panel, or you can hold down the Shift key while the CD spins up. But be careful! By doing so, you are circumventing a DRM device, which is in direct violation of the DMCA.

DMCA

The DMCA (Digital Millennium Copyright Act) is a US law that imposes severe penalties for circumventing any copy-control device, such as DRM. This means anything from writing a program that bypasses a copy-control program to simply using a documented feature to bypass DRM. Alex Halderman, a Princeton student, released a paper describing how simply pressing the Shift key while inserting a music disc with SunnComm protection would remove all restrictions on it. For his trouble, the company simultaneously claimed he had violated the DMCA (because his program worked) and that he was committing libel (because his method didn't work). Then they sued him for 10 mil. (The lawsuit was later dropped.)

What does this mean for you? It means that Sony BMG Music wants to prevent you from having full use of your computer, just so they can make a few extra bucks. They don't care about you. They don't care that this exposes your computer and your personal information (credit card info, pesonal correspondance, financial records, trade secrets) to more crackers and viruses. They don't care that it can permanently screw up your operating system, rendering it unusable without a full reinstall (I hope you backed up your data). They have lied in the End-User License Agreement -- a legally binding contract.

Should music come with a EULA? Can users be trusted? Can companies be trusted? Is this a case of computer trespassing? (It is in the UK.) Can you sue them for damages? Should you be able to? If you buy a computer, should you have the right to use it fully? If you buy a CD, should you have the right to use it fully? Should there be laws (like the DMCA) protecting the music industry's interests? Should there be laws protecting your interests? (They don't exist yet.) These are questions you need to answer for yourself. Talk about these questions with others -- they will affect the future of digital media: textbooks, library books, music, television, movies, educational materials, and software.

In my view, this is totally unacceptable, and has led me to a set of resolutions:

• I vow to return any DVDs with commercials on unskippable tracks for a full refund
• I vow never to buy music discs that are DRM protected
• I vow never again to buy software or hardware from Sony, or any other company that employs such tactics

What will you do?

As a first step I went ahead and sent Sony Music an inquiry about this apparent illegal activity. Just to let them know they're on my radar.

I'm curious as to the nature of the software that Sony's new DRM-protected CDs install on Windows machines. It appears to be a rootkit that hides the DRM executables from the user, but isn't mentioned as such in the EULA. That would appear to be illegal. Am I missing something here?

We'll see what comes back down the pipe. In the meantime, you might ask them some questions yourself. If you are one of the unlucky souls to have actually purchased a Sony DRM CD (it'll say copy-protected and won't have the CD logo that's on your CD drive door), return it for a full refund. Funny thing about returning it is that it invokes Article 9, part 3 of the EULA, which demands that you remove "all licensed materials" -- that includes the DRM software. Removing it will prevent you from playing any CDs. Sounds like a manufacturing defect to me. So give a call to their Quality Management Department, whose number is listed on the feedback page.

If you believe a Sony Music product has a manufacturing defect, please call our Quality Management Department at 800-255-7514

Tell them you purchased a Sony copy-protected CD by [group name] with the title [album title], that you no longer own it, that the EULA says you have to remove the software, but you can't because it will screw up your machine. I'm no lawyer, but I'm pretty sure that the "Limitation of Liability" clause is generally considered by the legal community to only cover accidental damages, not intentional effects like an intentionally un-removable rootkit. See what you can get out of them. But be kind to the customer service representatives. They weren't responsible, and the one I spoke to didn't know about this incident.